This is the mail archive of the
gcc-patches@gcc.gnu.org
mailing list for the GCC project.
Re: Fix for PR70926 in Libiberty Demangler (5)
- From: Marcel BÃhme <boehme dot marcel at gmail dot com>
- To: gcc-patches at gcc dot gnu dot org
- Cc: Bernd Schmidt <bschmidt at redhat dot com>
- Date: Thu, 26 May 2016 15:02:38 +0800
- Subject: Re: Fix for PR70926 in Libiberty Demangler (5)
- Authentication-results: sourceware.org; auth=none
- References: <23D17F58-63E3-4205-A7BC-81D0C15CCC4E at gmail dot com>
Hi: Pending review.
Best - Marcel
> On 3 May 2016, at 10:40 PM, Marcel BÃhme <boehme.marcel@gmail.com> wrote:
>
> Hi,
>
> This fixes four access violations (https://gcc.gnu.org/bugzilla/show_bug.cgi?id=70926).
>
> Two of these first read the value of a length variable len from the mangled string, then strncpy len characters from the mangled string; more than necessary.
> The other two read the value of an array index n from the mangled string, which can be negative due to an overflow.
>
> Bootstrapped and regression tested on x86_64-pc-linux-gnu. Test cases added to libiberty/testsuite/demangler-expected and checked PR70926 is resolved.
>
> Best regards,
> - Marcel
>
> Index: libiberty/ChangeLog
> ===================================================================
> --- libiberty/ChangeLog (revision 235801)
> +++ libiberty/ChangeLog (working copy)
> @@ -1,3 +1,12 @@
> +2016-05-03 Marcel BÃhme <boehme.marcel@gmail.com>
> +
> + PR c++/70926
> + * cplus-dem.c: Handle large values and overflow when demangling
> + length variables.
> + (demangle_template_value_parm): Read only until end of mangled string.
> + (do_hpacc_template_literal): Likewise.
> + (do_type): Handle overflow when demangling array indices.
> +
> 2016-05-02 Marcel BÃhme <boehme.marcel@gmail.com>
>
> PR c++/70498
> Index: libiberty/cplus-dem.c
> ===================================================================
> --- libiberty/cplus-dem.c (revision 235801)
> +++ libiberty/cplus-dem.c (working copy)
> @@ -2051,7 +2051,8 @@ demangle_template_value_parm (struct work_stuff *w
> else
> {
> int symbol_len = consume_count (mangled);
> - if (symbol_len == -1)
> + if (symbol_len == -1
> + || symbol_len > (long) strlen (*mangled))
> return -1;
> if (symbol_len == 0)
> string_appendn (s, "0", 1);
> @@ -3611,7 +3612,7 @@ do_type (struct work_stuff *work, const char **man
> /* A back reference to a previously seen type */
> case 'T':
> (*mangled)++;
> - if (!get_count (mangled, &n) || n >= work -> ntypes)
> + if (!get_count (mangled, &n) || n < 0 || n >= work -> ntypes)
> {
> success = 0;
> }
> @@ -3789,7 +3790,7 @@ do_type (struct work_stuff *work, const char **man
> /* A back reference to a previously seen squangled type */
> case 'B':
> (*mangled)++;
> - if (!get_count (mangled, &n) || n >= work -> numb)
> + if (!get_count (mangled, &n) || n < 0 || n >= work -> numb)
> success = 0;
> else
> string_append (result, work->btypevec[n]);
> @@ -4130,7 +4131,8 @@ do_hpacc_template_literal (struct work_stuff *work
>
> literal_len = consume_count (mangled);
>
> - if (literal_len <= 0)
> + if (literal_len <= 0
> + || literal_len > (long) strlen (*mangled))
> return 0;
>
> /* Literal parameters are names of arrays, functions, etc. and the
> Index: libiberty/testsuite/demangle-expected
> ===================================================================
> --- libiberty/testsuite/demangle-expected (revision 235801)
> +++ libiberty/testsuite/demangle-expected (working copy)
> @@ -4441,3 +4441,16 @@ __vt_90000000000cafebabe
>
> _Z80800000000000000000000
> _Z80800000000000000000000
> +#
> +# Tests write access violation PR70926
> +
> +0__Ot2m02R5T0000500000
> +0__Ot2m02R5T0000500000
> +#
> +
> +0__GT50000000000_
> +0__GT50000000000_
> +#
> +
> +__t2m05B500000000000000000_
> +__t2m05B500000000000000000_
>